Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
HP Privacy Security

HP Laptops Found To Have Hidden Keylogger (bbc.com) 116

Hidden software that can record every letter typed on a computer keyboard has been discovered pre-installed on hundreds of HP laptop models, BBC reported on Monday citing the findings of a security researcher. From the report: Security researcher Michael Myng found the keylogging code in software drivers preinstalled on HP laptops to make the keyboard work. HP said more than 460 models of laptop were affected by the "potential security vulnerability." It has issued a software patch for its customers to remove the keylogger. The issue affects laptops in the EliteBook, ProBook, Pavilion and Envy ranges, among others. HP has issued a full list of affected devices, dating back to 2012. Mr Myng discovered the keylogger while inspecting Synaptics Touchpad software, to figure out how to control the keyboard backlight on an HP laptop. He said the keylogger was disabled by default, but an attacker with access to the computer could have enabled it to record what a user was typing. According to HP, it was originally built into the Synaptics software to help debug errors. It acknowledged that could lead to "loss of confidentiality" but it said neither Synaptics nor HP had access to customer data as a result of the flaw.
This discussion has been archived. No new comments can be posted.

HP Laptops Found To Have Hidden Keylogger

Comments Filter:
  • by 140Mandak262Jamuna ( 970587 ) on Monday December 11, 2017 @07:23AM (#55715041) Journal

    but it said neither Synaptics nor HP had access to customer data as a result of the flaw.

    It is like Yale announcing that its locks, made since 1929, could be opened by any pentalobulous screw driver, but neither Yale, nor the screwdriver maker, got any share of the loot taken by any burglar taking advantage of the flaw.

  • by Anonymous Coward on Monday December 11, 2017 @07:26AM (#55715057)

    How do you end up with an attacker that can write to your registry (and also read your log files) but can't just install their own keylogger?

    • by TWX ( 665546 ) on Monday December 11, 2017 @09:10AM (#55715563)

      An attacker's own keylogger might well be recognized as malicious and blocked from communicating with the network stack or otherwise blocked by not appearing in a whitelist in a corporate environment. The trusted device driver for the keyboard would probably be whitelisted and since vendor software is usually allowed to talk to the Internet so that it can check for updates, allowed to communicate. With these in-mind, the attacker's own payload to activate the keylogger might make so few changes as to not be recognized for what it is by such security software. Also, if someone were to hack HP or Synaptics' systems they could potentially enable it subtly where it might not be obvious that it has been enabled.

      Additionally those traveling internationally with these laptops where the computer may be 'inspected' by a foreign government could find such a logger enabled and again, the security software on the computer might not recognize that it has happened while it might recognize third-party software. If that government would have a second opportunity to inspect the computer then they could retrieve the contents of the log.

      • An attacker's own keylogger might well be recognized as malicious and blocked from communicating with the network stack...

        What led you to believe the built-in tool sends the keystrokes over the network? The attacker is still on the hook for exfiltration, so the GP is correct: at that point he has already won.

      • This sounds like a James Bond Story.. There is an assumption here that foreign governments have all the "admin" passwords for all company owned laptops in the world. OK, Lets assume this is true, Lets say you have old driver and you did not upgrade to recent version, let's say they have your particular admin password and they took your laptop long enough to modify unpublished registry and enable the particular issue where information is embedded with other ETL messages which are binary encoded. These
    • It makes life considerably easier when the malicious software is considered part of the standard code base, instead of having to connect storage or download something external to the machine you simply have to run a command or two to activate the existing code. Much faster, much easier.

      File integrity or heuristic monitoring software like antivirus software will likely ignore pre-installed malicious code.

      Network level scanning for downloads of likely keyloggers will also not be triggered.

  • What I miss. (Score:5, Insightful)

    by orlanz ( 882574 ) on Monday December 11, 2017 @07:31AM (#55715075)

    This is one of the reasons I really liked the preprocessor in C. I miss #IF DEBUG / #ENDIF.

    • Comment removed based on user account deletion
      • Re:What I miss. (Score:5, Interesting)

        by KiloByte ( 825081 ) on Monday December 11, 2017 @08:02AM (#55715193)

        I call bullshit on this "mistake" not being intentional. Their coding practices might be bad for other reasons, but if companies add backdoors left and right, at this point it's reasonable to assume malice rather than stupidity.

        • Comment removed based on user account deletion
        • Sufficiently advanced stupidity is indistinguishable from malice. (mod on Arthur C Clarke.)
  • by Anonymous Coward on Monday December 11, 2017 @07:41AM (#55715115)

    Wouldn't someone able to access the device and enable the keylogger be instead able to, you know, install a keylogger ?

    Hype.

  • Thanks to Intel ME (Score:2, Insightful)

    by ReneR ( 1057034 )
    Each and every recent Intel Core-i with ME can have a very hidden key logger running in the ME the whole day, and even sending them out on the NIC. Say NO to hidden "security" backdoor processors, and "military grade" *lol* trust zones, ....
  • by sasparillascott ( 1267058 ) on Monday December 11, 2017 @08:11AM (#55715241)
    Just like the things we saw with the networking folks, another vendor says oops look at this surveillance tool we just happened to have left in our production stack we've been putting on all our machines for years. Time for someone to look at Dell and see if they've made the same "mistake".
    • by Zero__Kelvin ( 151819 ) on Monday December 11, 2017 @08:26AM (#55715317) Homepage
      Every vendor that ships Windows 10 ships their product with a surveillance tool. At least this one can be and is disabled.
    • by Anonymous Coward

      You're clearly never worked at a large software company. Stuff like this is standard. A respected financial company used a backdoor into their software to auto-install updates to get around having to deal with customer IT departments sitting on their updates before installing them. Instead of having to wait for an IT department to approve the SW changes, the company would push them out without telling anyone. Though at least the updates were extensively tested before hand.

      Well, this was before the pract

    • Just like the things we saw with the networking folks, another vendor says oops look at this surveillance tool we just happened to have left in our production stack we've been putting on all our machines for years. Time for someone to look at Dell and see if they've made the same "mistake".

      NSA to HP: That backdoor has been compromised we need another or you know what will happen, no more government contracts.

      HP to rest: Oh look what was found, well it's easy to explain; nothing to see here.

  • by Palmateer ( 1533975 ) on Monday December 11, 2017 @08:42AM (#55715391)
    So I own two of the laptops listed. They both originally came with Win7. I've rebuilt them clean with Win10 which installed a Synaptics driver on its own which is a waay newer version than what HP originally shipped or any updates they previously provided for Win7. Does anyone know if there's a test to see if the version you have is affected? Now HPs offering a softpaq with a new driver. If I install that one is Windows Update going to clobber it when the next one comes out? Will the Windows Update versions include the 'fix'?
    • by Luckyo ( 1726890 ) on Monday December 11, 2017 @09:08AM (#55715551)

      You already installed win10, which comes with built in microsoft keylogger, among other monitoring implements that call home. Your worry is like worrying about getting wet from crying after your ship sank and you're floating in the ocean.

      • You already installed win10, which comes with built in microsoft keylogger, among other monitoring implements that call home. Your worry is like worrying about getting wet from crying after your ship sank and you're floating in the ocean.

        As far as I can tell if one disables Windows Cortana (Autoruns) updates are stopped and problem solved. It could be something else involved but Process Explorer seems to agree.

        • by Luckyo ( 1726890 )

          Oh you naive summer child. Cortana is just a small part of the "log everything user does and call home with this information" package, specifically the part that always listens to the user.

          Tracking key presses is another part of internal spyware systems in win10, as is tracking of applications used and usage times and so on.

  • by Holi ( 250190 ) on Monday December 11, 2017 @08:55AM (#55715459)
    Sorry but how the hell do you allow this to happen twice?

    http://www.zdnet.com/article/k... [zdnet.com]

    Maybe it's time for law enforcement to get involved.
    • by MTEK ( 2826397 )

      Maybe, but law enforcement should definitely get involved if a teleporter vendor were to follow your sig's logic. You're invoking kill() before copy(). Might as well beam the poor bastard to /dev/null.

    • by Legion ( 15548 )

      You assume:
      A) it was an accident in either instance, and
      B) law enforcement (NSA) wasn't directly involved in both.

  • So an attacker with access to the computer could turn on HP's built-in keylogger.

    Couldn't that same attacker with access to the computer install and turn on his own keylogger, which is probably to his preference because it works with the rest of his toolkit seamlessly on any model of computer instead of just on HPs?

    So, what's the impact exactly?

    This reminds me of promiscuous mode on ethernet interfaces. Debugging tool with security implications that is turned off by default. Useful. Not a big deal. Usef

    • by Anonymous Coward

      It means someone with access to the computer can start keylogging without:

      - having to download or install anything from the internet or local media, in cases of airgapped or usbport-glued-up machines
      - without any virus scanner or regular auditing software detecting any new exes or files installed on the machine
      - bypassing any kind of 'trusted exe only' hardened security rules

      I'm sorry your lack of imagination means you don't see what the impact of this is, or ways in which it differs to an attacker installi

  • When the original keylogger problem was discovered a few months ago, HP said it was because someone left the debug "feature" for keylogging turned on by accident. So why is everyone surprised it exists, at least in the old versions?
    • Re: (Score:3, Informative)

      by Desler ( 1608317 )

      Because this is about a different driver having a keylogger. So, no, it’s not old news.

      • That's interesting... Implies any driver that uses the HP hotkeys could have the issues... Hmm... Thanks for the clarification....
      • The optimist in me wants to think that in response to the last keylogger (in the audio driver) HP did an audit and found this other "oops" in the Synaptics driver. Actually, that would be good spin. Unfortunately, I think systematic incompetence is more likely. Wonder if other drivers have this "feature" enabled, perhaps on machines from other vendors...
  • Comment removed based on user account deletion
  • This is very alarming, whether HP or Synaptics did or did not leak any customer information. They should not be saving keystrokes without user permission. - http://www.backgroundpi.com/ [backgroundpi.com] team
  • This is only the billionth time that debug code has made it into a production release. It will continue to happen unless there are consequences.

    I think I'd like to see a modest fine from the government whenever debug code makes it into a production environment in a way that poses a risk to security or confidentiality.

    Not enough to really hurt a business. Just enough to encourage following SOPs so their projects are built correctly before getting shipped out to customers.

  • HP pre-installs a keylogger so I don't have to click on pr0n popups to get one installed. Just another customer service from HP. Yay.

  • Both HP and Synaptics should get out of the software business. Even if you ignore this flaw; the touchpad drivers installed on HP computers are so awful, unresponsive, glitchy, buggy, and unusable, it's no wonder Microsoft is slamming the hammer down with Precision Touchpad drivers.

  • What a bunch of FUD...

    > an attacker with access to the computer could have enabled it to record what a user was typing

    An attacker with access to the computer could just install a keylogger. This is a non-issue.

  • if keyloggers are present on your system by default.

    By extension, it should be simple to include a built in hardware keylogger into the guts of any keyboard. Simply type in a key sequence to bring up the log file.

    I used to have a usb dongle that did this, don't see why it couldn't be wired directly into the keyboard itself. No way to find it without tearing apart the keyboard and knowing what to look for.

Those who can, do; those who can't, write. Those who can't write work for the Bell Labs Record.

Working...